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Abstract. This paper presents a novel approach to the design verifica- 
tion of Software Product Lines(SPL). The proposed approach assumes 
that the requirements and designs are modeled as finite state machines 
with variability information. The variability information at the require- 
ment and design levels are expressed differently and at different levels of 
abstraction. Also the proposed approach supports verification of SPL in 
which new features and variability may be added incrementally. Given 
the design and requirements of an SPL, the proposed design verification 
method ensures that every product at the design level behaviorally con- 
forms to a product at the requirement level. The conformance procedure 
is compositional in the sense that the verification of an entire SPL con- 
sisting of multiple features is reduced to the verification of the individual 
features. The method has been implemented and demonstrated in a pro- 
totype tool SPLEnD (SPL Engine for Design Verification) on a couple 
of fairly large case studies. 



1 Introduction 

Large industrial software systems are often developed as Software Product Line 
(SPL) with a common core set of features which are developed once and reused 
across all the products. The products in an SPL differ on a small set of fea- 
tures which are specified using variation points. The focus of this paper is on 
modeling and analysis of SPLs which have drawn the attention of researchers 
recently [TT2l3] . 

Many approaches have been proposed to describe SPLs, the most prominent 
one being feature diagrams. All these proposals seem to assume a global view of 
SPL as they start with a complete list of features and the variation points using 
a single vocabulary. All the subsequent SPL assets, like requirement documents, 
design models, source codes, test cases, documentations, share the same defini- 
tion and vocabulary |4l5j . The assumption of a single homogeneous and global 
view of variability description is inapplicable in many practical settings, where 
there is no top level complete description of features and variabilities. They of- 
ten evolve during the long lifetime of an SPL as new features and variabilities 



are added during the evolution. Further, SPL developers tend to use different 
representations and vocabulary of variability at different stages of development: 
at the requirement level, a more abstract and intuitive description of variation 
points are used, while at the design level, the efficiency of implementation of 
variation points is of primary concern. For example, consider the case of an au- 
tomotive SPL, where one variation point is the region of sale (eg. Asia Pacific, 
Europe, North America etc). At the requirement level, this variation point is ex- 
pressed directly as an enumeration variable assuming one value for every region. 
Whereas, at the design level, the variation point is expressed using two or three 
boolean variables; by setting the values of the boolean variable appropriately, 
the behavior specific to a region is selected at the time of deployment. 

We present a design verification approach that is more suited to the above 
kind of evolving SPLs in which different representation of variabilities would 
be used at the requirement and design level. One natural and unique problem 
that arises in this context is to relate formally the variation points expressed at 
different levels of abstractions. Another challenge is the analysis complexity: the 
number of products is exponential in the number of variation points and hence 
product centric analyses are not scalable. We propose a compositional approach 
in which every feature of the SPL is first analyzed independently; the per-feature 
analysis results are then combined to get the analysis result for the whole SPL. 

For capturing variability in the behavior of an SPL, we have extended the 
standard finite state machine model, which we call Finite State Machines with 
Variability^ in short, FSMv. The behavior and variability of a feature at the 
requirement and design level can be modeled using FSMv. We define a confor- 
mance relation between FSMvs to relate the requirement and design models. This 
relation is based upon the standard language containment of state machines. 

One unique feature of FSMv is that it provides a compositional operator 
for composing the feature state machines to obtain a model for an SPL. This 
operator thus enables incremental addition of features and variabilities. The 
proposed verification approach exploits the compositional structure of the SPL 
models to contain the analysis complexity. 
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Fig. 1. The proposed verification framework. 



Figure [T] summarizes the proposed approach. It shows an SPL composed of 
features /i to fn. Each feature has an FSMv model of its requirements (cahed 
FSMr) and an FSMv model derived from its design (called FSMd). The proposed 
analysis method checks whether the FSMd of every feature conforms to its FSMr 
(1*^ check). The output of this first step is a conformance relation between each 
pair of FSMr and FSMd. The obtained conformance relations are then used to 
check whether the actual behavior of the entire SPL conforms to the expected 
one (2^^ check). We reduce this check to checking the satisfiability of a Quantified 
Boolean Formula (QBF). There is no need to build the entire behavioral model 
of the SPL in the second step. 

We have built a prototype tool SPLEnD based upon this approach. This 
tool performs the first check using SPIN [6 while the the well-known QBF SAT 
solver CirQit [7 is used for the second step. We have experimented with the tool 
using modest industrial size examples with very encouraging results. An earlier 
version of this work (October 2012) can be found at ^. 

1.1 Related works 

FSMv and the proposed design verification approach were developed indepen- 
dently but has some apparent similarities with the FTS+ model [2 , which also 
extends finite state machines to include certain product variability information. 
However, there is a motivational difference between the two formalisms. The aim 
of FTS+ is to model the entire SPL and hence there is a single global machine 
with a single global vocabulary for expressing variabilities; the variability infor- 
mation represents the presence/absence of features in the SPL. In contrast, our 
approach is based upon a differnt view of SPL: a feature with variability is an 
increment in functionality and an SPL is a collection of features. We use a single 
FSMv to model a feature and a whole SPL is modeled as a parallel composition 
of FSMv machines. 

The difference in viewpoint has another consequence: FTS^ models, since 
they model the entire SPL, tend to be large and hence has high analysis com- 
plexity. Efficient abstraction techniques are hence used for solving this prob- 
lem [3]. Whereas, each FSMv models a fraction of functionality and hence can 
be analysed easily. Further, the entire SPL can be modeled as composition of 
FSMvs and can be efficiently analysed using composition techniques. 

Many other behavioral models have also been proposed |9|1QI11|12] which 
are usually coupled with a variability model such as OVM 0, the Czarnecki 
feature model [4 , or VPM [13] to attain a fair level of variability expressibility. 
Unlike all these approaches, FTS+ [2] and FSMv capture the variability in an 
explicit way which we find more intuitive. 

The Variation Point Model (VPM) of Hassan Gomaa flT distinguishes be- 
tween variability at the requirement and design levels but no design verification 
approach has been presented. Kathrin Berg et a/.[l4] propose a model for vari- 
ability handling throughout the life cycle of the SPL. Andreas Metzeger et a/. [15] 
and M Riebisch et a/. [16^ provide a similar approach but they do not consider 



the behavioral aspect. In the proposed approach, we extract the relation between 
requirement and design level variability from a behavioral analysis. 

Kathi Fisler et al. [17 have developed an analysis based on three- valued 
model checking of automata defined using step- wise refinement. Later on, Jing 
Liu et al [18] have revisited Fisler's approach to provide a much more efficient 
method. Recently, Maxime Cordy et al. have extended Fisler's approach to LTL 
formula [19 . Kim Lauenroth et al. [20l as well as Andreas Classen et al. [2l3j, 
and Gruler et al. [21] have developed model checking methods for SPL behavior. 
These methods are based on the verification of LTL/CTL/modal /i calculus 
formula. 

All these verification methods assume a global view of variability and hence 
the representation of variability information is identical in both specification 
and the design. In contrast, in our work the specification and design involve 
variability information at different levels of abstraction and hence one needs 
mapping information between the two levels. Furthermore, our formalism allows 
incremental addition of functionality and variability and enables compositional 
verification. 

2 Design Verification of a Single Feature 

An SPL, in general consists of multiple features, each feature having different 
functionality and variability. A typical body control software of an automotive 
system is an SPL that has several features such as door lock, lighting, seat control 
etc. Each of these features has a distinct function and variability. For example, 
the locking behaviour of a door lock function has a variation point called trans- 
mission type. If the transmission type is manual then the door is locked after 
the speed of the vehicle exceeds a certain threshold value; for automatic trans- 
mission, the door is locked when the gear position is shifted out of park. In this 
section we will focus on modeling and relating the design of a single feature to 
its requirement. 

2.1 FSMv and language refinement 

Finite State Machines with Variability (FSMv) is an extension of finite state 
machines, to represent all possible behaviours of a feature. Let Var be a finite 
set of variables, each taking a value ranging over a finite set of values. Let 
X G Var, and let Dom{x) be the finite set of values that x can take. The set of 
atomic formulae we consider are x = a, x^a, x = y,Xy^yfoTaG Dom{x), 
and x,y G Var. Let Ayar denote the set of atomic formulae over Var. Let a 
represent a typical element of Ayar- Define 

A ::= a \ \ A A A \ AV A \A ^ A 

to be the set of all well formed predicates over Var. 



Definition 1 (FSMv) An FSMv is a tuple A = (Q, go, ^, Var, E, p) where: 
(1) Q is a finite set of states; qo is the initial state; (2) U is a finite set of 
events; (3) Var is a finite set of variables; (4)ECQxAxUxQ gives the 
set of transitions. A transition t = {s^g^a^s') represents a transition from state 
8 to state 8^ on event a; the predicate g is called a guard of the transition t; g 
is consistent and defines the variability domain of the transition; (5) p e A is a 
consistent predicate called the global predicate. 

The variables in Var determines the variabihty ahowed in the feature with each 
possible valuation of the variables corresponding to a variant. The allowed values 
of the variables are constrainted by the global predicate p. For example, if p is 
{{x = 1) V (x = 2)) A (x = — 1), then the allowed variants are those for which 
the values for the pairs (x^y) are (1,2), (2, 3). The predicate in a transition 
determines the variants to which the transition is applicable. While drawing a 
transition t = (s,^,a, 5^), the edge connecting 8 to s' is decorated with g : a. 
When g is true, we simply write a on the edge. 

Definition 2 (Configuration) A configuration, denoted by tt, is an assign- 
ment of values to the variables in Var. The set of all configurations is denoted 
by Ilvar, or 11, when Var is clear from the context. Define n{p) = {tt | tt |= p} 
to be the set of all those configurations that satisfy p. The elements of n{p) 
are called valid configurations. Given a valid configuration tt and a transition 
t = (5, ^, a, s'), we say that t is enabled by tt if ir \= g. 

As a concrete example of an FSMv, consider the feature Door lock in auto- 
motive SPL which controls the locking of the doors when the vehicle starts. The 
expected behavior of this feature is modeled using the FSMv Reqai described 
pictorially in Figure [2] In the initial state, this feature becomes active when 
all the doors are closed. The doors are locked when either the speed of the ve- 
hicle exceeds a predefined value or the gear is shifted out of park. An unlock 
event reactivates the feature. There are four configurations for this feature all of 
which are described using the three variables: DL_Enable^ Transmissioridi and 
DLJJ ser-Pref. The top box denotes the values that these variables can assume, 
and the bottom box gives the global predicate (p) associated with the machine. 
p ensures that in every valid configuration, the variable Transmissioridi hav- 
ing the value Manual implies that DLJJ ser^Pref takes the value Speed. This 
captures the fact that in manual transmission, there is no park position on the 
gearbox. To avoid clutter, we have replaced guards of the form x = i with i in 
the figure. The transition labeled with Disable : * means that when DL_Enable 
assumes the value Disable^ it stalls on any event. 

Requirement against Design In the requirement of a product line, the vari- 
ability is usually discussed in terms of variation points, which are at a high 
level of abstraction and focused on clarity and expressibility. The restriction of 
the possible configurations is expressed as general constraints on these variation 
points, e.g., the global predicate Manual =^ Speed in the Door lock example. 



DL_Enable: {Enable,Disable} 
Transmissiorijji: {Auto,Manual} 
DL_User_Pref: {Speed, Park} 



Disable: 



Manual^Speed 



Fig. 2. The FSMv of the feature Door lock. 



In contrast, in a design, the variabiHty description is constrained by efficiency, 
implement abihty, ease of reconfiguration and deployment considerations. For in- 
stance, in the automotive applications, one often finds calibration parameters 
ranging over a set of boolean values. Further, the constraint on the calibration 
parameters {p) takes the special form of the list of the possible configurations of 
the calibration parameters in order to easily configure the design. 

FSMv can capture both the design as well as the requirements of a feature. 
We distinguish the requirement and design models by denoting them FSMr and 
FSMd respectively. Figure [2] presents the FSMr, Reqdu of the feature Door lock. 
The FSMd, Desdu of the feature Door lock is presented in FigurejS) The structure 
of Desdi is similar to Reqai except that the top elliptical shaped state in Figure 
[2] is split into two states (the top and the bottom elliptical shaped states) in 
Figure [3j The top state is for auto-transmission whereas the bottom one is for 
manual transmission as can be seen from the configuration label of the two 
transitions going from the initial state. Two variables Cpl and Cp2 encode the 
possible configurations in the FSMd. The box in Figure |3] depicts the set of 
possible values of these. Cpl = Auto corresponds to the configuration in which 
the transmission is Auto whereas Cpl = Moff corresponds to either the manual 
transmission or the case when Cpl is disabled; similarly, Cp2 = Speed means 
that the user preference is set on Speedy while Cp2 = Poff means either Park 
or the case when Cp2 is disabled. 




Fig. 3. Desdi'. the FSMd abstracted from the design of the feature Door lock. 



2.2 Variants of FSMv and Conformance 

Having described the design and requirement behaviour of a feature / using 
FSMd and FSMr respectively, we now define the notions of variants and con- 
formance. A variant of an FSMv corresponds to one of the several possible be- 
haviours of the feature (at the design, requirement level respectively). Given a 
feature /, and a (FSMd, FSMr) pair corresponding to /, we say that the design 
of / conforms to the requirements of / provided every variant of the FSMd has 
a corresponding FSMr variant. 

Definition 3 (Variant of an FSMv) Let A = (Q, go, ^, Var, E, p) he an FSMv 
and TT G n{p) he a valid configuration of A. A variant of A is an FSM ohtained 
hy retaining only transitions t = {s^g^a^s'), and states s^s' such that g |= tt. 
Once the relevant states and transitions are identified, we remove the guards g 
from all the transitions; p is also removed. The resultant FSM is denoted A i tt. 

In the example of FSMr for the feature Door lock^ the variant Reqdi i 
{Enable^ Auto^ Park) does not contain the transitions with the event Speed > n 
and *. We compare the FSMd and FSMr of a feature / using their variants. 
Given an FSMv A^ we associate with each configuration tt of ^ the language of 
the FSM ^ ^ TT, denoted by L{A ^ tt). We say that an FSMd Ad conforms to an 
FSMr Ar if and only if the behaviour of every variant of Ad is contained in the 
behaviour of some variant of Ar- 

Definition 4 (The conformance mapping ^) Let Ar and Ad he a pair of 
FSMr and FSMd respectively with glohal predicates p^ and p^ . Let Tld^ Llr he the 
set of all design, requirement configurations. Then Ad conforms to Ar denoted 
Ad <^ Ar if there exists a mapping ^ : LId{p^) 2^'^^^'^^ such that \/iTd ^ 
LId{p^)^^7ir G LIr{p'^) satisfying L{Ad i ^d) ^ L{Ar i tt^). ^ is called the 
conformance mapping. 

In the feature Door lock^ ^{{Moff^ Speed)) contains {Enable, Manual, Speed) 
since L{Desdi i {Moff, Speed)) C L{Reqdi i {Enable, Manual, Speed)). 

2.3 Checking the conformance 

Let / be a feature with FSMr Reqf and FSMd Desf. Then the conformance 
checking problem is to compute a mapping <P such that Desf <^ Reqf. 

The conformance mapping is computed by comparing every projection of 
Desf with every projection of Reqf. Algorithm 1, given below, presents a possi- 
ble implementation using the standard automata containment algorithm [22]. as 
implemented in the SPIN model checker [6 . To use SPIN, one should describe 
the system along with the checked property in the Promela language [6 . Out 
of this description, SPIN generates the pan.c file which is the verifier for the 
system. After compilation, the pan(.exe) executable performs the verification. 



Algorithm 1 starts by generating a Promela file containing the definition of (i) 
the environment, (ii) Desf^ (iii) Reqf^ (iv) the initialization sequence and (v) a 
never claim which holds for the language containment condition. During the ini- 
tialization, the configuration of Desf and Reqf are initialized with a random cou- 
ple of configurations. Then the environment, followed by Desf and Reqf are run 
atomically. The never claim assertion is : never{{^error{Des f) A error {Reqf)), 
where error {X) means that X is in error state. The never claim is violated when 
the design is not in the error state but the requirement process is in the error 
state. This corresponds to a design configuration iVd such that Desf I 7Td handles 
an event, while Reqf | tt^ does not, for all possible requirement configurations tt^. 
Algorithm 1 runs the full verification algorithm of SPIN for every pair (7rc^,7r^) 
of design and requirement configurations. SPIN(i.e. pan(.exe)) returns the list of 
pairs for which the conformance condition is violated. Every other pair is added 
to the conformance mapping ^. Lemma |5] proves the correctness of Algorithm 1. 



Algorithm 1 implements the conformance checking using SPIN. 
Input : Desf, Reqf. 

Output : The mapping # when Desf <^ Reqf 

1. Generate a Promela file which contains Reqf, Desf, the environment, the never 
claim, and the initialization sequence. 

2. Launch the full verification algorithm of spin 

3. Build the mapping # from the output of spin. 

4. Conclude whether the design conforms to the requirement 
if VTTd e n{pd), ^(TVd) / then 

return true along with (#) 
else 

return false along with (tTcz) {where TVd has no correspondence through 
end if 



Lemma 5 Given FSMd Desf and FSMr Reqf for a feature f , let {iidi^r) be a 
pair of design and requirement configurations. Then, L{Desf | iTd) 2 L{Reqf | 
Tir) if and only if terror {Desf) /\ err or {Reqf) . 

Proof. Assume L{Desf i TTd) ^ L{Reqf | tt^). Then there exists a word w G 
L{Desf I TTd) which is prefixed by u.e, with u a finite prefix of a word in 
L{Reqf I tt^), and e an event such that u.e is not a prefix of any word in 
L{Reqf ^ tt^). In such a situation, Desf does not go to the error state but Reqf 
does. 



Conversely, if L{Desf i TTd) ^ L{Reqf i tt^), then whenever Desf is not in 
an error state, Reqf will also not be in an error state. □ 



3 Design Verification of SPL 



In the previous section, we looked at individual features in an SPL and provided 
a method for comparing the design and requirements of a feature, both contain- 
ing variabilities. In this section, we extend this method to verifying a whole SPL 
design against its requirements. An SPL is essentially a composition of multiple 
features satisfying certain constraints. We define a parallel composition opera- 
tor over FSMv to model an SPL. The features in an SPL can interact and we 
follow one of the standard methods of allowing the composed FSMv models to 
share some common events, which correspond to two-party handshake commu- 
nication events. A distinguishing aspect of the proposed parallel operator is that 
it takes into account the constraints across the composed machines. The con- 
straints could be of various types, e.g. dependency and exclusion relations, and 
are modeled as predicates over variables of the composed features. 

Definition 6 (Parallel composition of FSMv) 

Let Ax = {Qx^Qo^ ^x^VaVx^ px) , x G {1,2} be two FSMv^s with Vari fi 
Var2 = 0. Let H = Ei f] U2 be the set of handshaking events. Let pi2 be a 
predicate over Vari U Var2, such that pi2 A pi A p2 is consistent. pi2 is the 
composition predicate capturing the possible constraints between the variabilities 
of the two composed features. Let p = pi2 A pi A p2- 

The parallel composition of Ai and A2 denoted by A = Ai \\ A2 is a tuple 
{Qi X (52, (^0 5 ^0)5 ^1 ^^2, Vari U Var2, p) with transitions defined as follows: 
Consider a state (51,82) G Qi x Q2, and transitions (si, ^1, ai, 5^) G Ei and 
(52,^2,^2,52) ^ ^2. 

(1) If ai = a2 = a e H , define ((^i, 52), ^1 A ^2, {^1^82)) G E, provided gi A g2 
is consistent and gi A g2 \= p- 

(2) If ai G Ei\II, define ((51, 52), ^1, ai, (5^,52)) G E, gi |= p. 

(3) Ifa2 G IJ2\H, define ((^i, 52), ^2, ^^2, {si.s'^)) G E, g2 |= p. 

For illustration, consider the feature Door unlock which automates the un- 
locking of the doors in a vehicle. Figure [4]-a gives the FSMr of the feature ex- 
tracted from the requirements. From the initial state, the feature becomes active 
when the event Lock happens. As soon as either the key is removed from ignition 
or the gear is shifted to park position, the doors get unlocked and the feature 
Door unlock becomes inactive. Figure [4]-b presents the FSMd of the feature Door 
unlock. It is quite similar to the requirement except that the active state is split 
in two: the feature reacts to the ignition Off event in one state, and to the Shift 
Into Park event in another state. 

Let us consider the composition of the two FSMrs of the features Door 
lock and Door unlock. The handshake events between the two features are Lock 
and Unlock. In the composition, we introduce the following composition pred- 
icate: {DU -Enable = Enable <^ DL_Enable = Enable) A Transmissioudi = 
Transmissioudui which brings out the natural constraints that Door lock fea- 
ture is enabled if and only if Door unlock is also enabled and the transmission 
status has to be the same. 




Fig. 4. a) Reqdu- the Door unlock FSMr and b) Desdu' the corresponding FSMd. 



The vaHd configurations after composition are restricted by the composition 
predicate. We provide a few definitions to define composite vahd configurations. 

Definition 7 (Composing Configurations) Let Ai = {Qi^q^^ Ui^Vari^ Ei^ pi) 
be two FSMv^s, and let A = Ai \\ A2 be as given by definition^ Let p = 
P12 A pi A p2 be the global predicate of A. Consider two valid configurations 
TTi G LI{pi) and 7T2 G LI{p2) of Ai and A2- The compostion of 7Ti^7T2, denoted 
7ri2 is a configuration over Vari U Var2 such that 7ri2 agrees with tti over Vari, 
and agrees with 712 over Var2, and 7ri2 \= p. 1^12 is a valid configuration of A 
and we denote it by 7ri2 = tti + 7r2. 

Lemma 8 Let Ai and A2 be two FSMv^s. For each valid configuration tt of 
Ai II A2, there are valid configurations tti of Ai and 7T2 of A2 such that tt = 

TTi + 7r2 . 



Proof. Let tt G LI{p) with p = P12 Api Ap2 be a vahd configuration of Ai \\ ^2- Pi 
and p2 are the global predicates of Ai^ A2 respectively, and pi2 is the composition 
predicate of Ai^ ^2- By definition of valid configuration, tt |= p; hence tt |= pi 
and TT 1= p2. Since tt is a configuration over Vari U Var2^ let us consider the 
restriction of tt on Vari, call the resulting configuration tti. Then tti |= pi. 
Similarly, call the restriction of tt on Var2 as 7r2. Then 712 |= P2- Then, 7ri,7r2 
are respectively valid configurations of Ai and A2' Hence, by definition [7| we 
obtain tt = tti + 7r2. □ 

In the example of feature Door Lock, the configuration {Enable, Auto, Speed) 
from RcQdi can be composed with {Enable, Auto, Key) from Reqdu because the 
transmission is Auto in both (which is specified in the composition predicate). 
{Enable, Auto, Speed, Enable, Auto, Key) is a configuration of the parallel com- 
position of Reqdi with Reqdu- 

The parallel composition of FSMv's is such that each variant of the compo- 
sition of two FSMv's is equal to the composition of variants of the individual 
FSMv's. 



Lemma 9 (Variants of a composed FSMv) Let Ai and A2 be two FSMv 
machines. Let tt be a valid configuration of Ai \\ A2- Then L([Ai \\ A2] i tt) = 
L(^ii7r) II i(A;7r).|3 

Proof. We review some preliminary definitions before the proof. In the fohowing, 
the operation || stands for (i) shuffle of words, (ii) shuffle of languages, (iii)parallel 
composition of FSMs, and (iv) parallel composition of FSMv. The context is clear 
in each case; hence there is no confusion. 

Definition 10 Let Z^i, . . . , En be n finite sets of symbols. Let E be a finite set. 
Given a word w G E^ , we denote by w I Ei, the unique subword of w over E^ . 
For example, if Ei = {a, 6, e},E2 = {a, e, /}; and if we consider w = aefedefr G 
{a, (i, e, /, r}*; then w I Ei = aeee and w I E2 = aefeef. 

Definition 11 (Asynchronous Shuffle) Let Z'l, . . . , En be n finite sets. Let E = 
^2=1^1 - Consider n words 'Ui,'U2, • • • '^i ^ - The asynchronous shuffle of 
ui^ . . . ^Un denoted ui \\ ■ ■ - \\ Un is defined as {w \ w ^ Ei = Ui). 

As an example, consider Ei = {a, 6, c, /}, = {a, e, /}, i^a = {c, (i, /}, and 
the words ui = abcf^U2 = adfe^us = dcf. Then the word w = abdcfe is in 
ui II U2 II '^3 since, w I Ei = Ui for i = 1,2,3. Similarly, the word = adbcfe 
is also in ui \\ U2 \\ u^. However, the word w" = aebcfd is not in ui \\ U2 \\ 1^3, 
since w" ^ E2 = aefd^ not U2. 

The definition of shuffle can be extended from words to languages. We use 
the same notation || for the shuffle of sets, as well as for the shuffle of words. 

The asynchronous shuffle of two languages Li,L2 is defined as Li || L2 = 
{wi II W2 \ Wi G Li^W2 G L2}. For example, if Li = {abcf^abbf} is a language 
over El = {a, 6, c, /} and L2 = {adfe} is a language over {a, d, e, /}, then Li \\ 
L2 = {abcf II adfe., abb f \\ adfe} ={abcdf e^ adbcfe^ abdcfe, abbdfe^abdbfe^adbbfe}. 

Definition 12 Let Mi = {Qi^Qi, Ei^Si) and Mj = {Qj^qj, Ej^Sj) be complete 
FSMs. The asynchronous product of Mi^Mj is defined as the FSM Mi \\ Mj = 
{Qi X Qj,{qi,qj), EiU Ej,S) where 

1. 8{{q,q'),a) = {8i{q,a),8j{q',a)),a G Ei{^Ej, 

2. 3{{q,q'),a) = {8i{q,a),q'),a e Ei,a^ Ej, 

3. 8{{q,q'),a) = {q,8j{q',a)),a G Ej,a ^ Ei. 

On the common events, both FSMs move in parallel; otherwise, they move inde- 
pendent of each other. 

It is known that L{Mi \\ Mj) L{Mi) \\ L{Mj). Now we start the proof of 
Lemma [9l 

Consider a valid configuration tt of ^1 || A2' As seen in Lemma [sj we can find 
valid configurations tti of Ai and 7r2 of A2 such that tt = tti + 7r2. The initial 
state of ^1 II A2 is {q^, q^), where q^ is the initial state of Ai and ^2 is the initial 



^ The right hand side || refers to the standard communicating finite state machine 
composition. 



state of By definitions [6] and [T2j if we consider a string w = aia2 . . . an ^ 



L[Ai II A2] i TT, then we can find strings Wi G L{Ai | tt) = L{Ai i tti) and 
W2 G L{A2 i 7t) = L{A2 i 712) such that w = wi \\ W2 in the sense of definition 
pT| Hence, L[Ai \\ A2] i tt C L{Ai i tt) \\ L{A2 i tt). The converse can be shown 
in a similar way. □ 

Refinement and Parallel Composition The definition of parallel compo- 
sition naturally lends itself to a notion of addition of conformance mappings 
between design and requirement pairs. Consider FSMr's i^i,i?2 corresponding 
to two features /i,/2- Let Di,D2 be the corresponding FSMd's. Let Pi,P2 be 
the global predicates of i?2, and let , P2 be the global predicates of Di^D2 
respectively. Assume that Di Ri and D2 i^2- Let = ^ Pi ^ P2 
be the global predicate oi Ri \\ R2; likewise, let = pf2 A pf A P2 be the global 
predicate of I^i || D2. We now want to ask if Di || D2 conforms to Ri || i^2- This 
amounts to computing a conformance mapping between Di \\ D2 and Ri \\ R2 
given ^1,^2- Consider any valid configuration tt^ of I^i || D2. By Lemma [sj 
we can write tt^ as 7rf + yrf , where 7rf,7r2 are valid configurations of I^i,I^2 re- 
spectively. Since Di Ri and D2 <^2 ^2, there exists valid configurations 
TTi G ^i(7rf) and tt^ G ^2(7^2) ^17^2 respectively. Given this, the addition of 
^i^^2 is defined as follows: 

Definition 13 (Addition of conformance mappings) The addition of con- 
formance mappings ^1,^2 is defined to be a mapping ^ = -\- ^2 cls follows. 
For every valid configuration tt^ = irf -\- Trf of Di \\ D2, 

^{tt^) = {tt^ \ tt^ is a valid configuration of Ri \\ i^2,7r^ = 7r[ + 

for valid configurations i\\ G ^\{i\^)^i\2 ^ ^2(7r2)} 

Lemma 14 (Conformance of composition) Let R\ and R2 he two FSMr 
machines corresponding to features /i, /2; cind let Di and D2 be the correspond- 
ing FSMd machines. Let Di Ri and D2 <^2 ^2- Let ^ = -\- ^2 and tt^ 
be a valid configuration of Di \\ D2. Then, Vtt^ G ^(tt^), L{[{Di || D2) i tt^]) C 

i|i?2);^i). 

Proof. Given a valid configuration tt^ of I^i || 1^2, we can write it as 7rf + Trf, 
where 7rf,7r2 are respectively valid configurations of Di^D2 (Lemma [s]). Since 
Di Ri and D2 <^2 ^2, there exist valid configurations 7r[ G ^i(7rf) and 
TT^ G ^2(7rf ) such that L{Di i irf) C L{Ri i tt^) and L{D2 i tt^) C L(i?2 i tt^). 

Since has been computed, for every valid configuration tt^ of I^i || D2, 
there exists some valid configuration tt^ of Ri \\ i?2, tt^ G ^{tt^). As tt^ is 
valid, TT^ 1= p5^2 ^ Pi ^ P2'^ hence, tt^ can be written as ttJ + tt^, where 7r[,7r2 
are respectively valid configurations of Ri^R2 (Lemma [8|, and 7r[ G ^^i(7rf). 



13 



7r2 G ^2(7r2) by definition 

L([(L)i II D2) i TT^]) = L{Di i nf) II L(L)2 i 1^2) by lemma jg] Similarly, 
L{[{Ri II i?2) i TT^]) = L{Ri \. 7r[) II L{R2 i tt^). This along with the observation 
that L{Di i 7rf) C L{Ri i 7r[) and L{D2 i Trf) C L(i?2 I tt^) gives L{[{Di \\ 
D2)i^^])<^L{[{R^ ||i^2);^1). □ 



Considering the example, in the FSMr Reqdi \\ Reqdu with pr : DL_Enable = 
DU -Enable A Transmissioridi = Transmissioridui ^^ly configuration where 
DL_Enable = Enable but DU -Enable = Disable is invalid. However, ^{{Auto^ Speed)) 
contains only configurations where DL_Enable = Enable^ ^'{{Moff^Poff)) 
contains only configurations where DU -Enable = Disable and {Auto^ Speed) + 
(Moff^Poff) is a valid configuration of Desdi \\ Desdw So the design does 
not conform to the requirement. However, if we make the extra assumption that 
Pd : Cpl = Moff A Cp2 = Poff O Cp3 = Moff A Cp4 = Poff, then 
{Auto, Speed) and {Moff, Poff) are not compatible anymore and as a result 
the design conforms to the requirement. 

3.1 Conformance Checking 

Let F = {/i, /^} be a set of features and T be the complete system comprising 
the features in F, along with the relations between the features. Let Ri be the 
FSMr modeling the expected behavior and variability of fi, and Di the FSMd 
extracted from the design of fi. Let Pi2,,,n Pi2...n t>e the compositional 
predicates for Ri \\ • • • || Rn and Di \\ • • • || Dn respectively. Now we state 
the variability conformance problem for an SPL as follows: Does there exist a 
conformance mapping ^ such that Di \\ ••• || D^ <4> Ri \\ ••• || . . . Rn^ A 
compositional approach to solve the problem is to: 

(i) check whether the design of every feature conforms to its requirement using 
Algorithm 1; (ii) check whether every valid configuration of i^i || • • • || Dn can 
be mapped to a valid configuration of i^i || • • • || R^. This is the conformance 
condition. 

3.2 Checking Conformance Using QBF 

We implement the second check using QBF solving. Given FSMd's Di, . . . ,Dn 
and FSMr's 

(1) Let Var{Di) = {vfi, . . . ,vf^} be the set of variables of design Di, and 
Var{Ri) = {vli, . . . ,vl^}, the set of variables of requirement Ri. Let tt^ : 
{vfi = ai, . . . ,vf^ = an) be a configuration of D^. We denote by 7rf (x^i, . . . , Xin) 
a formula which takes n values from Dom{Di),l < i < n as arguments. If 
{vfi = ai, . . . ,Vi^ = an) is a chosen assignment, then nf^xn, . . . , Xin) is the con- 
junction AJ=i(^u = 

(2) Given n FSMd's and n FSMr's check if Di conforms to Ri for all 1 < i < n 
using Algorithm 1. This gives the map ^i. Assume ^i{7rf) = {tt^i, . . . , 7r[^}, 
where each of tt^^, . . . , 7r[^ are configurations of Ri, that have been mapped by 
^i to some configuration nf of Di. 

(3) We encode the above conformance mapping using the formula 
^i{xii,Xi2, Xin) = VjLi '^ijiVii^ • • • , yu), where Xij takes values from Dom{vf-), 
and Hij from Dom{Vij). 

(4) Let (ffj = p^ A pf A Pj and cp^j = p^ A p^ A p^ represent respectively 
the propositional formulae which ensures consistency of the global predicates 



of Di^Dj and Ri^Rj along with the compositional predicates and p^. Given 
a set S C {1, 2, . . . , n}, (p^ and (p'^g can be appropriately written. 
The QBF formula for conformance checking is given by 

^ = Vxii . . . Xni^ [^f,2,...,n ^ 3^11 • • • Vnjr, (^1 A • • • A A (fl ^2 , . . . ,n)] 

Theorem 1. Given a SPL, let {/i,...,/n} the set of features in a chosen 
product. Let Di, Ri be the FSMd and FSMr for feature fi. Then I^^i || • • • || I^^n 
conforms to Ri \\ • • • || Rn iff^ holds. 

Proof. Given Di <^ Ri^ assume that Di \\ • • • || conforms to i?i || • • • || Rn- 
Then, by definition of conformance, it means that for all valid configurations tt^ 
of 1^1 II • • • II there exists a valid configuration tt^ of || • • • || i^^ such that 
L{[Di II • • • II Dn] i TT^) C L{[Ri II • • • II Rn] i TT^). Let ^ be the conformance 
mapping such that tt^ G ^{tt^). 

TT^ is a valid configuration of I^i || • • • || implies that tt^ |= A^cji 2 n} Ps^ 
where pc_^is the global predicate of Di^ \\ • • • || D^. , when S = {ii, . . . ,ij}. Using 
Lemma M repeatedly, we can then say that = nf -\- ■ ■ ■ -\- tt^ for valid config- 
urations Trf of Di. Since tt^ G (^(tt^), by definition of conformance mappings, tt^ 

must be a valid configuration of i?i || • • • || Rn, hence tt^ = 7r[ H hTrJJ^ (Lemma 

[s]), such that nf G ^(7r[), for valid configurations 7r[ of R^. tt^ is valid means 

h A5c{i,2,...,n} PS- 
Given the above, we show that the QBF ^ holds. The LHS of the QBF ^ is 

the formula (pf 2 which is the conjunction p^ for all subsets 5 of {1, 2, . . . , n}. 

The forall quantifier outside would thus evaluate all configurations of I^i || • • • || 

Dn that satisfy V^i^2,...,n5 ^^^^ which satisfy /\sc{i 2 n} Ps • hence, all valid 

configurations of I^i || • • • || Dn- 

For the QBF to hold good, for all valid configurations of I^i || • • • || Dn that 
have been evaluated on the LHS, we must find some configuration of i?i || • • • || 
Rn that satisfies A - ■ ■ A^n /^^i 2 ... n ' (i) configuration tt of Ri \\ • • • || Rn 
that satisfies (PI2 ... n would be valid; (ii) further, if it has to satisfy A • • • A^^n, 
it must agree with 7r[ G ^i(7rf) over Var{Ri) for all 1 < i < n. By Lemma [sj 
this means that tt can be written as 7r[ + • • • + ttJ^. Thus, for the QBF to hold, 
we must be able to find for each valid configuration of Di \\ • • • || Dn, a valid 
configuration tt^ of i?i || • • • || i^^ which can be written as 7r[ + • • • + ttJ^, where 
7r[ G ^iiirf) for each i. But this is exactly what the mapping ^ which checks for 
conformance of I^i || • • • || Dn with Ri \\ • • • || Rn does. Since we assume that ^ 
exists, the QBF holds. 

The converse can be shown in a similar way : that is, if the QBF formula ^ 
holds, then I^i || • • • || Dn will conform to i?i || • • • || Rn- □ 

4 Implementation and Case Studies 



Figure [5] pictorially describes the tool SPLEnD. It takes as input, a pair of 
xml files corresponding to FSMd, FSMr and outputs a PROMELA file. The 



latter is fed to SPIN, which returns the conformance mappings, or declares non- 
conformance; given the conformance mapping the tool computes a QBF formula 
^ which is fed to CirQit. 

We considered two real case studies for our experimentation: Entry Control 
Product Line, ECPL having 7 features and Banking Software Product Line, 
BSPL, composed of 25 features. The details of the ECPL and BSPL case studies 
are given below. The FSMr, FSMd models of each feature contains less than 10 
states. 



5 ECPL and BSPL 



In this section, we describe the two product lines that have been considered in 
the paper : (i) ECPL and (ii) BSPL. 



5.1 ECPL 

The Entry Control Product Line comprises all the features involved in the man- 
agement of the locks in a car. In this study, we focus on the following features: 

— Power lock, this is the basic locking functionality which manages the lock- 
ing/unlocking according to key button press and courtesy switch press, 

— Last Door Closed Loch delays the locking of the doors until all the doors 
are closed. It is applicable when the lock command appends while a door is 
open, 

— Door loch automates the locking of doors when the vehicle starts, 

— Door unloch automates the unlocking of door(s) when the vehicle stops, 

— Anti-lockout: is intended to prevent the inadvertent lockout situations: the 
driver is out of the car with the key inside and all the doors locked, 

— Post crash unloch unlocks all the doors in a post crash situation, 

— Theft security loch secures the car with a second lock. 



Each feature is represented as a pair of state machines containing 3 to 10 states. 



FSMd.xml 
FSMr.xml 



PROMEIA File 



^ SPLEnD Tool 



Pairs of XML files for each feature 



Coiiformaiice 
Mapping 



ClrQlt 3.1.7 



Fig. 5. Overview of SPLEnD 



The variability constraints of the ECPL Figure [6] presents the feature di- 
agram of the ECPL (a la Czarnecki [4 ). This diagram presents the variabiUty 
constraints of the ECPL at the requirement level (p/o). All the constraints rep- 
resented by this diagram have to be considered during composition to guarantee 
the overall consistency of the SPL behavior. The dark gray boxes are features 
of the ECPL: Power lock, Anti-lockout, Door lock, Door unlock, and Post crash 
unlock. The light gray boxes are configurations. The black arrow from the "Man- 
ual" configuration to the "Shift out of park" configuration and to the "Shift into 
park" configuration says that if the transmission is manual, the targeted config- 
urations cannot be selected, i.e. In "Manual" configuration, there is no "park" 
gear. 



Entry control 




T Excludes ^ 



Fig. 6. The feature diagram of the ECPL. 



5.2 BSPL 

The Banking Software Product Line (BSPL) consists of 25 behavioral features. 
The BSPL is used to derived the software for ATM, Bank, Online Banking and 
Mobile Banking. Figure [7| presents the feature diagram of the BSPL. 



Similar to ECPL, we ran Algorithm 1 on all the 25 features of BSPL. In 
section |4| Figure 10 presents the number of design configurations and execution 
time of Algorithm 1 for each feature. In the following, we elaborate on the FSMv 
of 2 features: (i) User Interface and (ii) Withdraw Money The FSMd/FSMr for 
all the features has states between 2 and 10 (both inclusive). Figure|8]is the FSMr 
for feature User Interface, which has UI as an event with global predicate 
p = {^{uip = Disable)}. There is only one boolean variable, Var = {uip}, uip 
takes values from {Enable, Disable}. 

Figure [9] is the FSMd for feature User Interface. This FSMd shares the 
event UI with the FSMr and has global predicate p = {{type = 2D V type = 
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I WithdrawMoney 
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Fig. 7. The feature diagram of the BSPL. 



Ul: uip=Enable 



uip = {Enable, Disable} 



p = { ->(uip=Disable) } 



Fig. 8. FSMr for feature: U ser Inter face. 



31))}. There are two variables, Var = {type., graphics} ^ type takes values from 
{2i),3D}, while graphics takes values from {Enable., Disable}. 

The analysis results for the two case studies are summarized in Figures 11 
and [To] which gives the times taken by Algorithm 1. The number of product 
variants and the time taken for Algorithm 1 are very small in both case studies. 
In the case of ECPL, a bug was found in the feature Door Lock^ In this case, 
after fixing the bug, for the second step we used SPIN which took 11 seconds. 
For BSPL, the second step was performed using the QBF approach and CirQit 
took just 0.005 seconds. 



In Desdh the transition from the middle elliptical state to the round state labeled 
with Poff : Shi ftOutO f Park is incorrect; ^{{Auto, Pof f)) = 0. Removing this 
transition fixes the bug. 



type = {2D, 3D} 

graphics = {Enable, Disable} 



|p = {(type = 2D V type = 3D) 

Ul: type=2D A graphics=Enable 



Fig. 9. FSMd for feature: U ser I interface. 



Sr. No. 


Features 


Design Variants 


SPIN Time(Sec) 


1 


Userlnterface 


6 


0.002 


2 


CheckingBalance 


3 


0.003 


3 


WithdrawMoney 


8 


0.027 


4 


DepositMoney 


2 


0.002 


5 


PrintingStatement 


3 


0.002 


6 


Login 


1 


0.001 


7 


ATMLogin 


1 


0.001 


8 


ChangeAccountPassword 


2 


0.003 


9 


PayBills 


2 


0.003 


10 


PrintingBalanceAfterWithdraw 


2 


0.003 


11 


CheckingMoneyExchangeRate 


2 


0.003 


12 


Money Exchange 


2 


0.004 


13 


InternationalTransfer 


2 


0.006 


14 


LocalTransferToOtherBank 


1 


0.004 


15 


LanguageSelection 


2 


0.001 


16 


MobileTopUp 


2 


0.002 


17 


ChangeMaxLimitForWithdrawal 


1 


0.003 


18 


LocalTransferToSameBank 


3 


0.003 


19 


AddBeneficiary 


1 


0.002 


20 


RemoveBeneficiary 


1 


0.002 


21 


CreateDemandDraft 


2 


0.003 


22 


ChequeClearance 


1 


0.003 


23 


Fast Withdrawal 


1 


0.002 


24 


CreditCardPayment 


2 


0.002 


25 


UpdateContactDetails 


2 


0.004 



Fig. 10. Execution time of FSMv- Verifier on Algorithm 1 for BSPL 



Features 


PL & LDCL 


PCU 


DL 


DU 


AL 


TSL 


Design Variants 


8 


3 


4 


7 


3 


8 


SPIN Time (Sec) 


0.436 


0.031 


0.046 


0.109 


0.015 


0.218 




Fig. 11. Execution time of FSMv- Verifier on Algorithm 1 for ECPL 



In the automotive domain, really very large SPLs are constructed [23 . Before 
undertaking the task of modeling such large examples, in order to quickly de- 
termine the scalability of our approach, we generated many random SPLs with 
5000 to 25,000 features. Each of the corresponding FSMr/FSMd has two vari- 
ables (four variants), and 3 to 8 states. Similar to the ECPL and BSPL cases, 
SPIN took very little time (less than 0.5 seconds) for each (FSMr, FSMd) pair. 
The composite FSMr/FSMd, and hence the QBF formula ^ has then 10,000 to 
50,000 variables. As we can see from Figure [l2j the the time taken for the largest 
example is 196.69 seconds which is quite efficient. Encouraged by this result, we 
plan to take up the large industrial case studies. 



Variables in FSMr/FSMd 


10000 


20000 


30000 


40000 


50000 


CirQit 3.1.7 time (Sec) 


4.47 


25.77 


65.67 


119.49 


196.69 



Fig. 12. Execution time of QBF for Scalability 



6 Conclusion 

This paper motivated the need for extending the classical design verification 
problem to evolving SPL in which features and variability information can be 
added incrementally. The novel aspects of the proposed work are: (i) it verifies 
that the variability at the design level conforms to that at the requirement level, 
(ii) it is compositional and (iii) it reduces the conformance checking problem 
to QBF sat solving. A prototype tool has been implemented and experimented 
with modest sized examples with encouraging results. 
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